c2a054d501557b80601bb71fd5580bd809a11d001407d122b9cbc66609e902bd

Analysis

max time kernel
64s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2a054d501557b80601bb71fd5580bd809a11d001407d122b9cbc66609e902bd.exe
Size

2.1MB
MD5

8aad8fefc7f1ba224601c3312467b380
SHA1

10dede04c29bde27164b80466e87572ee7e995b0
SHA256

c2a054d501557b80601bb71fd5580bd809a11d001407d122b9cbc66609e902bd
SHA512

cedca215c8a96340d3d8f3df1b9b3fcd1f09f59e4d27d26bdf2e8063fedf1032357d394afe383f1a41158cec7ea53a8a0fe5db1b6a8f08d8e11c704a8affc09c
SSDEEP

24576:h1OYdaOSjfen1Y6KIc8dPc3Mp6CzcJcB1TE1VyDGxQQYxMfyylmCHxxyJGb8tS:h1Os6ZIdJc346K1TcAGb8tS

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
576	FqbtkuguDE6K229.exe

Loads dropped DLL 4 IoCs

pid	Process
580	c2a054d501557b80601bb71fd5580bd809a11d001407d122b9cbc66609e902bd.exe
576	FqbtkuguDE6K229.exe
1848	regsvr32.exe
1480	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdlddbpnkclejojbmdekhgmfjhlogcga\1.0\manifest.json	FqbtkuguDE6K229.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdlddbpnkclejojbmdekhgmfjhlogcga\1.0\manifest.json	FqbtkuguDE6K229.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdlddbpnkclejojbmdekhgmfjhlogcga\1.0\manifest.json	FqbtkuguDE6K229.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	FqbtkuguDE6K229.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	FqbtkuguDE6K229.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	FqbtkuguDE6K229.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	FqbtkuguDE6K229.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	FqbtkuguDE6K229.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.x64.dll	FqbtkuguDE6K229.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.x64.dll	FqbtkuguDE6K229.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.dll	FqbtkuguDE6K229.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.dll	FqbtkuguDE6K229.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.tlb	FqbtkuguDE6K229.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.tlb	FqbtkuguDE6K229.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.dat	FqbtkuguDE6K229.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.dat	FqbtkuguDE6K229.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 576	580	c2a054d501557b80601bb71fd5580bd809a11d001407d122b9cbc66609e902bd.exe	28
PID 580 wrote to memory of 576	580	c2a054d501557b80601bb71fd5580bd809a11d001407d122b9cbc66609e902bd.exe	28
PID 580 wrote to memory of 576	580	c2a054d501557b80601bb71fd5580bd809a11d001407d122b9cbc66609e902bd.exe	28
PID 580 wrote to memory of 576	580	c2a054d501557b80601bb71fd5580bd809a11d001407d122b9cbc66609e902bd.exe	28
PID 576 wrote to memory of 1848	576	FqbtkuguDE6K229.exe	29
PID 576 wrote to memory of 1848	576	FqbtkuguDE6K229.exe	29
PID 576 wrote to memory of 1848	576	FqbtkuguDE6K229.exe	29
PID 576 wrote to memory of 1848	576	FqbtkuguDE6K229.exe	29
PID 576 wrote to memory of 1848	576	FqbtkuguDE6K229.exe	29
PID 576 wrote to memory of 1848	576	FqbtkuguDE6K229.exe	29
PID 576 wrote to memory of 1848	576	FqbtkuguDE6K229.exe	29
PID 1848 wrote to memory of 1480	1848	regsvr32.exe	30
PID 1848 wrote to memory of 1480	1848	regsvr32.exe	30
PID 1848 wrote to memory of 1480	1848	regsvr32.exe	30
PID 1848 wrote to memory of 1480	1848	regsvr32.exe	30
PID 1848 wrote to memory of 1480	1848	regsvr32.exe	30
PID 1848 wrote to memory of 1480	1848	regsvr32.exe	30
PID 1848 wrote to memory of 1480	1848	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\c2a054d501557b80601bb71fd5580bd809a11d001407d122b9cbc66609e902bd.exe
"C:\Users\Admin\AppData\Local\Temp\c2a054d501557b80601bb71fd5580bd809a11d001407d122b9cbc66609e902bd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580
- C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\FqbtkuguDE6K229.exe
  .\FqbtkuguDE6K229.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.dat

Filesize
6KB

MD5
470ad0f4e11c331388faf15e5c004cda

SHA1
b31b4f41bb002cbf5cc086ee11c041a91df6b3ec

SHA256
794564886f140bb75f60f27540ca7482844c07b08a2ffe40c026095e8bcbc0f0

SHA512
ac9aa61a1cb9e289519001e3910fce47cf0daed7624d671850c45dbb76ac0e9004aed9b648e7a52e0d3a6ff7944527c433cd50c56f079e8d7d63676dde5979bb

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
02a9d87455680bf6bfeba7c3f3948426

SHA1
51fce46ff024f76e53fe51f9094b7ba6bdbef8e0

SHA256
1a771325454f8ae608c2f4a56fc8f4d2f9699ce0a38188621c1d132efef52bbc

SHA512
70af864eff22b3775a15145bc9dde5c5161db3ba4a56c676bd86c34c8d0e166aca1d423a66970cf2582b4cca31e94ec362c011e9dfd86ca8996122e80d4aae33

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
7b355c1ee020e521926b50da07e8127d

SHA1
04b53fceb142da1fae4546a380bbe944825ed6be

SHA256
7aa8f8c26ed20d3ceab9348eb4b35f85cb3171cda65ca63efaf560ba1e9b1cf2

SHA512
c60796dc9eb86edb8557781f8435e2e90fb017ba71bb6ef8900201d5b22332bc291edc5c37ef467de84ea707d5f654bbd26eb169d2a8269e8b1e8cfd58072a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\[email protected]\install.rdf

Filesize
604B

MD5
6532c95e828cf31b6e3a75df81ca16ac

SHA1
4252d7997c6db181c2f53668c683219cf52fe357

SHA256
dfca1bdb6dbc0b9366fc39b969be59ad4eb1c9e3a03945e945bb7057ea359112

SHA512
fe4301bc583e23265534ac361f89585192837a8e068c2d2b1797aed451ecb4d05a11d6e31f52866f7dd6965c52d030e75305e4a8dc560f5629012551e97c31e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\FqbtkuguDE6K229.dat

Filesize
6KB

MD5
470ad0f4e11c331388faf15e5c004cda

SHA1
b31b4f41bb002cbf5cc086ee11c041a91df6b3ec

SHA256
794564886f140bb75f60f27540ca7482844c07b08a2ffe40c026095e8bcbc0f0

SHA512
ac9aa61a1cb9e289519001e3910fce47cf0daed7624d671850c45dbb76ac0e9004aed9b648e7a52e0d3a6ff7944527c433cd50c56f079e8d7d63676dde5979bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\FqbtkuguDE6K229.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\FqbtkuguDE6K229.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\KIjoXjwX6z1zDS.dll

Filesize
613KB

MD5
0df7c26b4abf65cd6ca180c2ddc7ae4b

SHA1
d43e0770e0a5778525a4828f46e1e4448cdc9aa8

SHA256
f133fed29f50b1cdc8af2043608b14f8f20ab5349a2cfe16536d089966eb120b

SHA512
29ca79a58784de2855975849a94f0f3e55b3a13ece1cf9ff25db98d397c1758d88df8ac4887dfb48b28a89564e60a3a0195140d154ce0d0b81569fd0931fc474

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\KIjoXjwX6z1zDS.tlb

Filesize
3KB

MD5
ab50bfd160f5251c1c06947ba8523db0

SHA1
7940cc61ab4e0bb82afc03dd141eaf8bd963c091

SHA256
a23c9c376478404d8f90d1d984935f7b5e5f2e5674fd8a7642dc89f2b1b2c4a8

SHA512
506baa3f8ca880eeb4d26e9744babef326d2b5b1fb0971c712072c4aeeaaaff702847c045fe0270d45cc71a0b7fb53ba0af60aeaa34f5154f9617c85a06c3334

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\KIjoXjwX6z1zDS.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\hdlddbpnkclejojbmdekhgmfjhlogcga\background.html

Filesize
139B

MD5
65ee850b26c0a8d9e006d15fca54e9eb

SHA1
22df05accc1417637089e8f76206135be5a2703b

SHA256
af2602cf4085ff2908b7fac8b12fdf331dfebdfd1c246c8fe0fb7a11d6a657a3

SHA512
43977e265148d72a0a1718a93b760fa96a999bd4ef1df086fbbac620d9466c0ee514c6f47043a709aabe04884f507c045bb2f256365f413708d1779635d67c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\hdlddbpnkclejojbmdekhgmfjhlogcga\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\hdlddbpnkclejojbmdekhgmfjhlogcga\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\hdlddbpnkclejojbmdekhgmfjhlogcga\manifest.json

Filesize
507B

MD5
d429395a45a9aa09e4ee9054e9196b30

SHA1
c5dbab4e27650b07d4d159c305d08a9d578c3a3e

SHA256
674fc32cde82ed69cb8595bbea9f70f69097062c39bd6a3a505227a4f4a45344

SHA512
4a5bc7c005e573bf0cdb89489d676fb26c5fe116d397a6cd7a1ebb2cae9605b3d1657378e17d354cb102e93c39b32fa8d2963f375af37c871452f3170356101e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS164F.tmp\hdlddbpnkclejojbmdekhgmfjhlogcga\os.js

Filesize
5KB

MD5
d705bf494eef6ad9d8fb059c7541463a

SHA1
61556b1ca22a3a514eb2fae0b33e51acb621c9b4

SHA256
e4b2bbaeb5793804fa1d7f8be35ce3d6bfe055a252e5e7757dca0442b3282583

SHA512
f28cf1b177ff120553e75d65fc02960f87d507c984ab8e27af7505e17b17b57c248711f5378b281c2709a628887d5f7997d05960873a16e9447136479bb56781

Download Submit
\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.dll

Filesize
613KB

MD5
0df7c26b4abf65cd6ca180c2ddc7ae4b

SHA1
d43e0770e0a5778525a4828f46e1e4448cdc9aa8

SHA256
f133fed29f50b1cdc8af2043608b14f8f20ab5349a2cfe16536d089966eb120b

SHA512
29ca79a58784de2855975849a94f0f3e55b3a13ece1cf9ff25db98d397c1758d88df8ac4887dfb48b28a89564e60a3a0195140d154ce0d0b81569fd0931fc474

Download Submit
\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
\Program Files (x86)\YoutubeAdBlocke\KIjoXjwX6z1zDS.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
\Users\Admin\AppData\Local\Temp\7zS164F.tmp\FqbtkuguDE6K229.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
memory/580-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/1480-78-0x000007FEFC421000-0x000007FEFC423000-memory.dmp

Filesize
8KB

Download